Ransomware decryption firms uncovered as frauds

By GCN Staff

May 15, 2019

While the standard advice to organizations hit by ransomware is to never pay the attackers, a new ProPublica investigation found two U.S. data recovery firms that claimed to help unlock data but actually paid the ransom and marked up their costs to the victims.

That such fraudulent firms have thrived underscores "the lack of other options for individuals and businesses devastated by ransomware, the failure of law enforcement to catch or deter the hackers, and the moral quandary of whether paying ransoms encourages extortion," ProPublica wrote.

The inattention from law enforcement, the report said, is partially due to the average ransom amount, which is typically only a few thousand dollars – well below the threshold to trigger an investigation, former FBI Deputy Director John Pistole said. Ironically, local law enforcement offices lacking the resources to solve cybercrime find themselves ransomware targets.

The companies profiled by ProPublica -- Proven Data Recovery of Elmsford, N.Y., and Florida-based MonsterCloud -- claimed to be able to unlock ransomed files with their own technology and expertise. One security expert interviewed said security experts can sometimes disable ransomware if there are flaws in the encryption software, and then they open source those solutions. But “if there is a company that claims they broke the ransomware, we are skeptical,” Fabian Wosar, a U.K.-based security researcher, told ProPublica. “Everything the ransomware did has been analyzed by other researchers. It’s incredibly unlikely they were the only ones to break it.”

In December 2016, Wosar and a colleague devised an experiment creating a ransomware variant and used it to infect one of their own computers. Then they contacted MonsterCloud, Proven Data and other data recovery firms, posing as a victim who didn’t want to pay a ransom. According to ProPublica:

Wosar said he sent some sample encrypted files to the firms along with a fake ransom note that he had written. Like many ransom notes, the demand included an email address to contact the attacker for instructions on how to pay. Each note also contained a unique ID sequence for the victim, so Wosar could later identify which firm had contacted him even if it used an anonymous email account.

The firms eagerly agreed to help. “They all claimed to be able to decrypt ransomware families that definitely weren’t decryptable and didn’t mention that they paid the ransom,” Wosar said. “Quite the contrary actually. They all seemed very proud not to pay ransomers.”

Soon, the email accounts that he’d set up for the imaginary attacker began receiving emails from anonymous addresses offering to pay the ransom, he said. He traced the requests to the data recovery firms, including MonsterCloud and Proven Data.